# Objection Tutorial ## **Introduction** [![objection](https://github.com/sensepost/objection/raw/master/images/objection.png)](https://github.com/sensepost/objection) **objection - Runtime Mobile Exploration** `objection` is a runtime mobile exploration toolkit, powered by [Frida](https://www.frida.re/). It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. **Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing. ### Resume The **goal** of **objection** is let the user call the **main actions that offers Frida**. **Otherwise**, the user will need to create a **single script for every application** that he wants to test. ## Tutorial For this tutorial I am going to use the APK that you can download here: {% file src="" %} Or from its [original repository ](https://github.com/asvid/FridaApp)(download app-release.apk) ### Installation ``` pip3 install objection ``` ### Connection Make a **regular ADB conection** and **start** the **frida** server in the device (and check that frida is working in both the client and the server). If you are using a **rooted device** it is needed to select the application that you want to test inside the ***--gadget*** option. in this case: ``` objection --gadget asvid.github.io.fridaapp explore ``` ### Basic Actions Not all possible commands of objections are going to be listed in this tutorial, only the ones that I have found more useful. #### Environment Some interesting information (like passwords or paths) could be find inside the environment. ``` env ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2Fa15396d7921ec411dd889b31f1a518fda22f042c.png?generation=1622227476386139\&alt=media) #### Frida Information ``` frida ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F9181a7d109dccb8412635a30668d8014b6631a5a.png?generation=1622227476787275\&alt=media) #### Upload/Download ```bash file download [] file upload [] ``` #### Import frida script ```bash import ``` #### SSLPinning ```bash android sslpinning disable #Attempts to disable SSL Pinning on Android devices. ``` #### Root detection ```bash android root disable #Attempts to disable root detection on Android devices. android root simulate #Attempts to simulate a rooted Android environment. ``` #### Exec Command ```bash android shell_exec whoami ``` #### Screenshots ```bash android ui screenshot /tmp/screenshot android ui FLAG_SECURE false #This may enable you to take screenshots using the hardware keys ``` ### Static analysis made Dynamic In a real application we should know all of the information discovered in this part before using objection thanks to **static analysis**. Anyway, this way maybe you can see **something new** as here you will only have a complete list of classes, methods and exported objects. This is also usefull if somehow you are **unable to get some readable source code** of the app. #### List activities, receivers and services ``` android hooking list activities ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F7e07102b4e6f87e96c3cf4594a136d3590691ab7.png?generation=1622227476426733\&alt=media) ``` android hooking list services android hooking list receivers ``` Frida will launch an error if none is found #### Getting current activity ``` android hooking get current_activity ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F74a3163d5e09a99eb2f038694ec0dbfdcac1a99b.png?generation=1622227476626600\&alt=media) #### Search Classes Lets start looking for classes inside our application ``` android hooking search classes asvid.github.io.fridaapp ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F1ee9326a975e60d9b89c0e3d5fe185992cbd3fcb.png?generation=1622227476165605\&alt=media) #### Search Methods of a class Now lets extract the methods inside the class *MainActivity:* ``` android hooking search methods asvid.github.io.fridaapp MainActivity ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F1978dd558bcc997a2b44343ac7af9829143d0dcd.png?generation=1622227476767288\&alt=media) #### List declared Methods of a class with their parameters Lets figure out wich parameters does the methods of the class need: ``` android hooking list class_methods asvid.github.io.fridaapp.MainActivity ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F006ca9f28c8918e23f7d6a94dcbe93bc208cbad8.png?generation=1622227476382460\&alt=media) #### List classes You could also list all the classes that were loaded inside the current applicatoin: ``` android hooking list classes #List all loaded classes, As the target application gets usedmore, this command will return more classes. ``` This is very useful if you want to **hook the method of a class and you only know the name of the class**. You coul use this function to **search which module owns the class** and then hook its method. ### Hooking being easy #### Hooking (watching) a method From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** ***sum()*** **from** ***MainActivity*** is being run **every second**. Lets try to **dump all possible information** each time the function is called (arguments, return value and backtrace): ``` android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --dump-args --dump-backtrace --dump-return ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2Fb010358dd58a1b962e52a5c5cccc0ad3fe94e250.png?generation=1622227476369709\&alt=media) #### Hooking (watching) an entire class Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application. ``` android hooking watch class asvid.github.io.fridaapp.MainActivity --dump-args --dump-return ``` If you play with the application while the class is hooked you will see when **each function is being called**, its **arguments** and the **return** value. ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F7db5cbb7b07bcb7fa428cbd450b13cd47f022997.png?generation=1622227477133536\&alt=media) #### Changing boolean return value of a function From the source code you can see that the function *checkPin* gets a *String* as argument and returns a *boolean*. Lets make the function **always return true**: ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F877c67db112f6e5b507630bf5f8ec5fc1620eb66.png?generation=1622227476732163\&alt=media) Now, If you write anything in the text box for the PIN code you will see tat anything is valid: ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F3e9c614b9566726b780aa8b994ffe0c333adf618.png?generation=1622227476672033\&alt=media) ### Class instances Search for and print **live instances of a specific Java class**, specified by a fully qualified class name. Out is the result of an attempt at getting a string value for a discovered objection which would typically **contain property values for the object**. ``` android heap print_instances ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2Fbc3c40e93d4448fb6cd7847a09def112744fe463.png?generation=1622227476821740\&alt=media) ### Keystore/Intents You can play with the keystore and intents using: ``` android keystore list android intents launch_activity android intent launch_service ``` ### Memory #### Dump ```bash memory dump all #Dump all memory memory dump from_base #Dump a part ``` #### List ``` memory list modules ``` ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F2515a86824aeb76433556a4e4d4b9fcd51ba353a.png?generation=1622227476585920\&alt=media) At the bottom os the list you can see frida: ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2Fac353e4c43f8b5470e4ab7e2a302cbb0381340c4.png?generation=1622227476989397\&alt=media) Lets checks what is frida exporting: ![](https://4153509160-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MaoGr_g3I50alM2whW0%2Fsync%2F2f8a8d54cec70561d458fa19b847e4c563761f1b.png?generation=1622227476941056\&alt=media) #### Search/Write You can alse search and write inside memory with objection: ``` memory search "" (--string) (--offsets-only) memory write "
" "" (--string) ``` ### SQLite You cals can use the command `sqlite` to interact with sqlite databases. ### Exit ``` exit ``` ## What I miss in Objection * The hooking methods sometimes crashes the application (this is also because of Frida). * You can't use the instaces of the classes to call functions of the instance. And you can't create new instances of classes and use them to call functions. * There isn't a shortcut (like the one for sslpinnin) to hook all the common crypto methods being used by the application to see cyphered text, plain text, keys, IVs and algorithms used.